In servers settings there is an option to "Force URL settings" and also a place to set the server protocol. If the "Force URL settings" is set to "YES" and "https://" is typed in the server protocol, should this cause the board to be loaded as https instead of http? I tried this and so far I don't notice any change.

To use https you need to have a ssl certificate installed on your server for the domain that your phpBB board is on.

DavidRemember: You only know what you know and - you don't know what you don't know!My CDB Contributions | How to install an extensionI will not be accepting translations for any of my extensions in Github - please post any translations in the appropriate topic.No support requests via PM or email as they will be ignored

In servers settings there is an option to "Force URL settings" and also a place to set the server protocol. If the "Force URL settings" is set to "YES" and "https://" is typed in the server protocol, should this cause the board to be loaded as https instead of http?

The https/http settings in the ACP (from my personal experience) will force which urls are required for login, and set the url default for all links posted in the forum using BBCodes or linking to internal pages in the forum.

However, It will not auto change the url address. To force change the url address, editing the .htaccess file needs to be done, but before the one for phpbb can be done, the one for your entire website has to be done first.

NOTE: If you set up the https without force changing all urls in the .htaccess files, then half of everyone visiting your forum will be blocked from registering/signing in, because if they are on the wrong url, that will prevent them and they won't know why because there are no messages to tell them.

In servers settings there is an option to "Force URL settings" and also a place to set the server protocol. If the "Force URL settings" is set to "YES" and "https://" is typed in the server protocol, should this cause the board to be loaded as https instead of http? I tried this and so far I don't notice any change.

"Force server URL settings:" uses variables obtained from the server, in almost all cases you will want this set to no. For example this may append the port to the domain. This needs to be properly configured on the server to work.

Server protocol should be https:// , this will make sure all internal links parsed by the script are using https e.g. topic titles, forum titles, breadcrumb etc. AFAIK it does not redirect http to https however If you load a http page all the internal links should be https links. To redirect http to https use htaccess file.

Server port in almost all cases will be 443 for https, 80 is for http.

As already mentioned you need a valid SSL certificate to use https. Without one your users will either get warning if the server has default certificate and will have toi make an exception or an error that there is no certificate.

Thanks for the feedback everyone. My plan on HostGator is the basic plan, which upon further research apparently doesn't provide for an option for https. How important is running https for a forum?

Without it browsers are going to issue warnings on things like the login box. The reason for this is for example suppose the user is using public wifi, someone with access to the router could obtain their login credentials.

Since right now I can't purchase the certificate, should I still change the settings in the ACP to reflect https and 443 instead of 80 for the port?

I would suggest leaving it as it is.

So if a user wants, does typing "https" in the URL provide the same security as if I had the certificate?

Firstly if you do not have valid certificate this would require a default or self signed certificate. If a default certificate is present the user will get a warning page and will specifically need to make an exception to view the site over https. This is useful if for example you yourself want to access the site over https to perform administration tasks. It will protect your login credentials from third parties*. Not so useful for your visitors.

This is secure as far as the communication between your browser and the server is concerned but going back to the public wifi example someone could spoof a site in which case it would not be your server you were communicating with. Not such a huge threat for minor site but a very big deal if it was banking site.

Thanks for the replies and explanations. So when I manually type in "https://" followed by my site URL, there is a lock symbol prior to my site address. What does that symbol indicate exactly? Sorry if this isn't sinking in for me.

Thanks for the replies and explanations. So when I manually type in "https://" followed by my site URL, there is a lock symbol prior to my site address. What does that symbol indicate exactly? Sorry if this isn't sinking in for me.

If there is a lock of any kind that means the connection between the browser and server is encrypted.

If the lock is green that means you have a valid certificate for that domain, the certificate is validated by trusted third party. Communication between the browser and the server is both encrypted and secure because you know the domain content is valid.

If the lock is green but there is a any other icons like exclamation point or it's not green there is something wrong. For example if you have an image embedded that is not from a secure connection it will cause this. If the certificate is self signed it will also cause this.

A self signed certificate will give warnings to your users and they will need to make an exception to load the page. It's only useful if for example you yourself want to use it for encrypted communication.

How you install the certificate depends on the hosting control panel/server and may not be possible at all if the host has removed that option. You'll need to consult your hosts documentation and the documentation for your hosting control panel to install one.